Library Header Image Library Header Image

From Containers to Models - The New Unified Supply Chain Attack Surface


Posted on by Advait Patel

Key Takeaways:

  • Supply-chain risk isn’t just a container problem anymore. The same pipelines that ship images now also pull models, datasets, and agent tools, so one weak link can taint everything downstream.
  • Most attacks don’t start in production. They start earlier: compromised dependencies, poisoned images, tampered build environments, or unvetted model artifacts that your pipeline implicitly trusts.
  • You can reduce the blast radius with one unified playbook. Treat code, containers, and models as first-class artifacts: verify provenance, sign what you ship, isolate builds, enforce policy-as-code, and continuously check runtime drift.

Software supply chain attacks are the failure mode I have run into most often while securing and operating cloud services at the production level. In production, the outages and incidents rarely start with someone “hacking prod”. They start earlier, when a trusted input sneaks into the pipeline and we promote it because it looks legit. For example, a base image that quietly changed, a dependency pulled without pinning, or a build tool update that introduced behavior without any review.

In my day-to-day work, the problems have been simple, reduce the number of ways we can deploy risk without noticing. We tried the playbook first, scan the images, track the Common Vulnerabilities and Exposures (CVEs), validate the runtime permissions and those steps helped, but they did not close the real gap. What worked better was treating the Continuous Integration and Cotinious Delivery/Deployment (CI/CD) pipelines itself as the product. We pinned, verified inputs, isolated build, enforced least privilege access, and made “what exactly did we deploy and where did it come from?” answerable in minutes. If we don’t extend the same rigor to these AI artifacts, we’re rebuilding the same supply-chain problem with a bigger blast radius.

AI-native applications amplify this challenge. Organizations now deploy models, datasets, and agents. These artifacts execute logic and influence outcomes. They deserve the same security rigor as code.

Why AI Changes the Supply Chain Threat Model

Software Supply-chain Attacks Keep Accelerating 

Build and dependency systems are under attack. Weakened artifacts bypass the perimeter security measures. They enter the production environments as trusted elements. The average organization now relies on over 220 SaaS applications which expands the supply-chain attack surface, and Verizon’s 2024 DBIR (Data Breach Investigations Report) reports a 68% increase in third-party software-related breaches.

AI Artifacts Expand the Trusted Boundary 

AI presents models, datasets, and inference runtimes. These artifacts are executable logic. They affect judgments and automated processes. They are hardly inspected by traditional AppSec tools.

Because model and dataset provenance is inconsistent, pipelines often accept artifacts without authentication or validation. Attackers exploit this gap, so supply-chain controls must extend to models and data, not only code and containers.

Containers and AI Are One Security Problem 

AI Workloads Depend on Containerized Foundations 

Majority of AI services run in containers. Inference layers are based on images and runtimes. ML libraries and graphics processing unit (GPU) drivers widen attack surface. Compromised images could compromise execution of the models.

Containers specify isolation and permissions. They regulate filesystem, network, and device access. These controls are relied upon by model security. Insecure container security destroys AI trust. 

Models and Images Share the Same Pipelines 

CI systems develop images and retrieve models. They both use external registries and repositories. They both pass through staging and promotion phases. The artifact boundaries are easily crossed by threats.

They are usually treated differently by security tooling. Scanning and signature are done to the images. Models tend to omit similar checks. This disparity will form exploitable loopholes. 

One Pipeline with Multiple Injection Points 

Source Code and DockerfileRisks 

Developers write code and create instructions of the application. Base images and package sources are specified in Dockerfiles. Unsafe defaults bring inherited vulnerability. Build definitions have to be part of the static analysis.

Feb 9 2026 Blog

Non-reproducible builds are made by unpinned versions. 

CI Dependency and Base Image Exposure 

CI draws dependencies when automated builds are made. Base images have the capability of containing concealed rogue layers. Shared runners enhance blast radius. Verification of artifacts must take place in the early stages. 

Model Sourcing and Fine-tuning Risks 

Models on public hubs are brought to pipelines. Poisoned samples may be considered as fine-tuning data. Model updates are frequently not subjected to provenance. Model files should also be controlled on integrity. 

Runtime Deployment and Orchestration Flaws 

Kubernetes plans containers and model services. Namespace configurations not configured correctly compromise isolation assurances. Confidential information can leak via environment variables. Endpoints inference should be monitored.

Agentic Layers and Third-party Integrations

Agents coordinate activities in APIs and resources. They are known to possess high permissions. Access that has been mis-scoped can be laterally moved. There must be strict connector policies in agent security.

Applying Container Security Patterns to AI

When teams start shipping models, they often treat them like “data files”. In production, they behave more like container images. They are packaged artifacts that move across environments, get pulled implicitly, and can introduce risk long before runtime.

SBOMs for Images, Models, and Runtimes 

In my experience, scanning the final container image is necessary but not enough. For AI workloads, I have seen the same thing happen with model runtimes and Python dependencies where the model loads fine, but you deploy transitive dependency or a runtime library with known issues without human review.

What to do:

  • Generate a Software Bill of Materials (SBOM) at build time for the container image, the model package, and the runtime environment
  • Treat SBOM generation as a release requirement, not an optional report.

What you get: faster triage when a new CVE drops.

Provenance and Artifact Signing Everywhere

One of the most effective controls I have used in the production pipeline is, if it is not signed, it doesn’t ship. For containers, signing closed a big gap where teams were pulling “latest” images or rebuilding from slightly different inputs.

What to do:

  • Sign the build outputs of container images and model artifacts
  • Keep track of who built it, from which repo/commit, with which dependencies and all

Policy-as-code for Builds and Models

The biggest failures I have seen come from unpinned dependencies, unapproved base images, or pulling a model from an external registry without a clear trust boundary. Policy-as-code is where this becomes enforceable.

What to do:

  • Use Open Policy Agent (OPA) to enforce, approved base images, registries, pinned dependency versions, allowed model sources, required signature checks.
  • Apply the same policies to both build pipelines and model promotion workflows.

What you get: Lower number of incidents and fewer exceptions that quietly become the norm

Isolated Build and Inference Environments

Isolation is the control that stops a single compromise from turning into a broad event. For containers, segregating untrusted builds from trusted release pipelines reduced blast radius. For AI, this matters even more because inference services often have network access, secrets, and sensitive data.

What to do:

  • Separate dev, lab, and test environments from production builds or signed artifacts.
  • Start with least minimal permissions, restrict egress, hardened runtime

What Security Leaders Should Watch Next 

Silos are the next big risk

In many organizations, container security, and AI/model security are run by different teams with different tools. That creates blind spots and slows incident response, especially when a model gets pulled into a containerized environments and the compromise path crosses both. 

We Need one Unified Supply-chain Blueprint

Apply the same baseline controls to all deployable artifacts. For example, images, models, scripts, and runtimes such as approved registries, SBOMs, signing/provenance, policy-as-code gates, and consistent deployment from dev environment to prod. The advantage is fewer gaps and faster “what changed?” answers during an incident.

Attackers already view the cloud as one system. They exploit disconnected security ownership models. AI accelerates both innovation and risk.

Defenders must respond with unified supply chain security. Containers, models, and agents require equal rigor. Securing pipelines end to end reduces exposure. The future belongs to integrated security thinking. 

Contributors
Advait Patel

Senior Site Reliability Engineer, Cloud Security, Broadcom

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs